From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 4236368FF4 for ; Wed, 10 Mar 2021 10:27:02 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 356811AE42 for ; Wed, 10 Mar 2021 10:26:32 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 3E7E71AE3A for ; Wed, 10 Mar 2021 10:26:31 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 04BB741A67 for ; Wed, 10 Mar 2021 10:26:31 +0100 (CET) From: Fabian Ebner To: pve-devel@lists.proxmox.com Date: Wed, 10 Mar 2021 10:26:27 +0100 Message-Id: <20210310092627.1684-1-f.ebner@proxmox.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.002 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [disks.pm] Subject: [pve-devel] [RFC/PATCH storage] api: disk list: allow if an audit permission for the node is present X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2021 09:27:02 -0000 as that seems to be the more natural permission path for listing a nodes local disks. For backwards compatibility, the old permission check has to be kept (relevant with propagate=0). This API call was originally part of the Ceph API and got copied here later, which might explain the current permission check. In the UI, the Disk panel is visible with a node audit permission, but the API call itself failed without the '/' audit permission. Signed-off-by: Fabian Ebner --- PVE/API2/Disks.pm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/PVE/API2/Disks.pm b/PVE/API2/Disks.pm index d2ee81d..33bca76 100644 --- a/PVE/API2/Disks.pm +++ b/PVE/API2/Disks.pm @@ -82,7 +82,10 @@ __PACKAGE__->register_method ({ protected => 1, proxyto => 'node', permissions => { - check => ['perm', '/', ['Sys.Audit', 'Datastore.Audit'], any => 1], + check => ['or', + ['perm', '/', ['Sys.Audit', 'Datastore.Audit'], any => 1], + ['perm', '/nodes/{node}', ['Sys.Audit', 'Datastore.Audit'], any => 1], + ], }, parameters => { additionalProperties => 0, -- 2.20.1